McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

The new variant has the same functionalities as the .c variant.  There is minor code changes.  It has the same file size as the .c variant.

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• contains a remote access component (notification is sent to hacker)

Messages are constructed as follows:

From : (address is spoofed)
Body : (Message body is empty)
Subject :

• Accounts department
• Ahtung!
• Camila
• Daily activity report
• Flayers among us
• Freedom for everyone
• From Hair-cutter
• From me
• Greet the day
• Hardware devices price-list
• Hello my friend
• Hi!
• Jenny
• Jessica
• Looking for the report
• Maria
• Melissa
• Monthly incomings summary
• New Price-list
• Price
• Price list
• Pricelist
• Price-list
• Proclivity to servitude
• Registration confirmation
• The account
• The employee
• The summary
• USA government abolishes the capital punishment
• Weekly activity report
• Well...
• You are dismissed
• You really love me? he he

Attachment : randomly named binary within a .ZIP file (~16KB).

The EXE file within the ZIP archive uses the following icon, to make it appear that the file is an Excel file.

Like its predecessors, this worm checks the system date. If it is the 14th March 2004 or later, the worm simply exits and does not propagate.

Upon running the file, Notepad.exe is opened, with a blank window. 

The virus copies itself into the Windows system directory as README.EXE, for example:

C:\WINNT\SYSTEM32\README.EXE

It also creates other files in this directory to perform its functions:

• onde.exe (18,944 bytes) - DLL to perform mailing
• doc.exe (1,536 bytes) - DLL loader
• readme.exeopen (~16KB) - ZIP to be sent via email

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "gouday.exe" = C:\WINNT\SYSTEM32\README.EXE

Additionally, the following Registry keys are added:

• HKEY_CURRENT_USER\Software\DateTime2 "frun"
• HKEY_CURRENT_USER\Software\DateTime2 "uid"
• HKEY_CURRENT_USER\Software\DateTime2 "port"

A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

This worm attempts to terminate the process of security programs with the the following filenames:

• ATUPDATER.EXE
• ATUPDATER.EXE
• AUPDATE.EXE
• AUTODOWN.EXE
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• AVLTMAIN.EXE
• AVPUPD.EXE
• AVWUPD32.EXE
• AVXQUAR.EXE
• CFIAUDIT.EXE
• DRWEBUPW.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• LUALL.EXE
• MCUPDATE.EXE
• NUPGRADE.EXE
• NUPGRADE.EXE
• OUTPOST.EXE
• UPDATE.EXE

Symptoms

• Port 2745 (TCP) open on the victim machine
• Outgoing messages matching the described characteristics
• Files/Registry keys as described

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .ADB
• .ASP
• .CFG
• .DBX
• .EML
• .HTM
• .HTML
• .MDX
• .MMF
• .NCH
• .ODS
• .PHP
• .PL
• .SHT
• .TXT
• .WAB

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

• @avp.
• @hotmail.com
• @microsoft
• @msn.com
• local
• noreply
• postmaster@ 
• root@

Remote Access Component

The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

http://permail.uni-muenster.de/scr.php
http://www.songtext.net/de/scr.php
http://www.sportscheck.de/scr.php

After March 14th, this component of the worm is also deactivated.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

The new variant has the same functionalities as the .c variant.  There is minor code changes.  It has the same file size as the .c variant.

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• contains a remote access component (notification is sent to hacker)

Messages are constructed as follows:

From : (address is spoofed)
Body : (Message body is empty)
Subject :

• Accounts department
• Ahtung!
• Camila
• Daily activity report
• Flayers among us
• Freedom for everyone
• From Hair-cutter
• From me
• Greet the day
• Hardware devices price-list
• Hello my friend
• Hi!
• Jenny
• Jessica
• Looking for the report
• Maria
• Melissa
• Monthly incomings summary
• New Price-list
• Price
• Price list
• Pricelist
• Price-list
• Proclivity to servitude
• Registration confirmation
• The account
• The employee
• The summary
• USA government abolishes the capital punishment
• Weekly activity report
• Well...
• You are dismissed
• You really love me? he he

Attachment : randomly named binary within a .ZIP file (~16KB).

The EXE file within the ZIP archive uses the following icon, to make it appear that the file is an Excel file.

Like its predecessors, this worm checks the system date. If it is the 14th March 2004 or later, the worm simply exits and does not propagate.

Upon running the file, Notepad.exe is opened, with a blank window. 

The virus copies itself into the Windows system directory as README.EXE, for example:

C:\WINNT\SYSTEM32\README.EXE

It also creates other files in this directory to perform its functions:

• onde.exe (18,944 bytes) - DLL to perform mailing
• doc.exe (1,536 bytes) - DLL loader
• readme.exeopen (~16KB) - ZIP to be sent via email

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "gouday.exe" = C:\WINNT\SYSTEM32\README.EXE

Additionally, the following Registry keys are added:

• HKEY_CURRENT_USER\Software\DateTime2 "frun"
• HKEY_CURRENT_USER\Software\DateTime2 "uid"
• HKEY_CURRENT_USER\Software\DateTime2 "port"

A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

This worm attempts to terminate the process of security programs with the the following filenames:

• ATUPDATER.EXE
• ATUPDATER.EXE
• AUPDATE.EXE
• AUTODOWN.EXE
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• AVLTMAIN.EXE
• AVPUPD.EXE
• AVWUPD32.EXE
• AVXQUAR.EXE
• CFIAUDIT.EXE
• DRWEBUPW.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• LUALL.EXE
• MCUPDATE.EXE
• NUPGRADE.EXE
• NUPGRADE.EXE
• OUTPOST.EXE
• UPDATE.EXE

Symptoms

Symptoms -

• Port 2745 (TCP) open on the victim machine
• Outgoing messages matching the described characteristics
• Files/Registry keys as described

Method of Infection

Method of Infection -

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .ADB
• .ASP
• .CFG
• .DBX
• .EML
• .HTM
• .HTML
• .MDX
• .MMF
• .NCH
• .ODS
• .PHP
• .PL
• .SHT
• .TXT
• .WAB

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

• @avp.
• @hotmail.com
• @microsoft
• @msn.com
• local
• noreply
• postmaster@ 
• root@

Remote Access Component

The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

http://permail.uni-muenster.de/scr.php
http://www.songtext.net/de/scr.php
http://www.sportscheck.de/scr.php

After March 14th, this component of the worm is also deactivated.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A